Pull up the following, requested by mrg in ticket #304:
external/mit/xorg-server/dist/ChangeLog up to 1.1.1.33
external/mit/xorg-server/dist/configure up to 1.26
external/mit/xorg-server/dist/configure.ac up to 1.28
external/mit/xorg-server/dist/meson.build up to 1.1.1.23
external/mit/xorg-server/dist/meson_options.txt up to 1.1.1.4
external/mit/xorg-server/dist/Xext/saver.c up to 1.6
external/mit/xorg-server/dist/Xext/sync.c up to 1.16
external/mit/xorg-server/dist/Xi/xipassivegrab.c up to 1.9
external/mit/xorg-server/dist/dix/dixfonts.c up to 1.9
external/mit/xorg-server/dist/glx/glxcmds.c up to 1.17
external/mit/xorg-server/dist/glx/glxcmdsswap.c up to 1.5
external/mit/xorg-server/dist/glx/single2.c up to 1.5
external/mit/xorg-server/dist/glx/single2swap.c up to 1.5
external/mit/xorg-server/dist/hw/xfree86/dri2/dri2.c up to 1.7
external/mit/xorg-server/dist/include/closestr.h up to 1.1.1.5
external/mit/xorg-server/dist/miext/sync/misync.c up to 1.1.1.6
external/mit/xorg-server/dist/present/present_notify.c up to 1.1.1.4
[9 lines not shown]
tk: updated to 8.6.18
8.6.18
Aqua: Non-menubar menu invisible if toplevel is on another display (chavez).
(bug) [a91b24] Correct macOSVersion on future macOS for older SDK builds (chavez)
(bug) [d93d96] Pointer arithmetic with NULL in ImgGetPhoto() (chavez)
(bug) [6c4795] leak in XCreateBitmapFromData() in ImgGetPhoto() (chavez)
(new) [04e173] Add support for Copy/Cut/Paste keys in X11 (nijtmans)
(bug) [95da0f] tkpWinRopModes[GXnoop] is R2_NOT, should be R2_NOP (chavez)
(bug) [2c240b] Install pkg-config file (oscarfv)
(bug) [816739] Install man pages (oscarfv)
[40 lines not shown]
py-django5: updated to 5.2.15
Django 5.2.15 fixes five security issues with severity “low” in 5.2.14.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[18 lines not shown]
py-django: updated to 6.0.6
Django 6.0.6 fixes five security issues with severity “low” and one bug in 6.0.5.
CVE-2026-6873: Signed cookie salt namespace collision
get_signed_cookie() derived the signing salt by concatenating the cookie name (key) and salt arguments. When distinct name and salt pairs produced the same concatenation, cookies could be accepted in a context different from the one where they were signed.
Cookies are now signed with an unambiguous salt derivation. For backwards compatibility, cookies signed by older Django versions are accepted until Django 7.0. Projects affected by the above ambiguity should set SIGNED_COOKIE_LEGACY_SALT_FALLBACK to False to reject older cookies immediately.
This issue has severity “low” according to the Django security policy.
CVE-2026-7666: Potential unencrypted email transmission via STARTTLS in the SMTP backend
When using EMAIL_USE_TLS, a failed STARTTLS handshake could leave a partially-initialized connection that would subsequently be reused for sending email without encryption. This can occur with fail_silently=True, as used by send_mail() and BrokenLinkEmailsMiddleware, among others. Connections configured with EMAIL_USE_SSL are not affected.
This issue has severity “low” according to the Django security policy.
CVE-2026-8404: Potential exposure of private data via case-sensitive Cache-Control directives
[22 lines not shown]
Update to version 2.1.1
2026/03/04: Version 2.1.1
Patch release.
Updated external libraries: JPEG 10.0, PNG 1.6.48, TIFF 4.7.1, ZLIB 1.3.2.
Fixed FLIR and RAW parser to work correctly on big-endian systems.
2025/06/22: Version 2.1.0
Maintenance release.
Updated external libraries: PNG 1.6.48.
Improved RAW image handler to handle all data types correctly.
Fixed bug compiling with MSYS2/Clang64.
joker: update to 1.8.1
General improvements
- Add joker.mail namespace
Linter improvements
- Implement more thorough type checking
- Fix redundant do linter warning in joker.better-cond/cond
filesystems/fuse{,3}: Tidy, NFCI
- Align DESCR to each other, taking the text that describes what the
package is, vs marketing copy about FUSE. Explain fuse2 vs 3, and
add a NetBSD-only see-also to perfused(8).
- trim duplicate bsd.prefs.mk
- align whitespace between versions to reduce diffs
- reorder some lines to reduce diffs
Likely more diff-reduction could be done, but this is what I felt
confident would not cause even any binary change in the package.
filesystems/perfuse: Explain why this is ~never built
perfuse is part of the NetBSD base system since 6, so while packages
depend on this to ensure perfuse, the package is ~never built.
